Ubuntu Phone hit with serious security vulnerability

Ubuntu and other Linux-based operating systems are extremely secure, but nothing is infallible.

While you are arguably safer than on Windows or OS X, the argument can also be made that a little common sense goes a long way. In other words, all modern operating systems can be rather secure, as long as the user is not lackadaisical in their behaviour.

You may be surprised to hear that Ubuntu Phone has a rather nasty security vulnerability. Don't worry, the desktop operating system is not impacted; it is a phone-only affair. Still, it is scary to see something like this fall through the cracks.

"At 2015 Oct 14 22:50 UTC a member of the Ubuntu App Developer Community published a post about an app named 'test.mmrow' in the Ubuntu Phone's Software Store that exploited a previously unknown bug in the application installation system. Upon clicking the 'Tap me' button in the app, a script was created that modified the boot splash screen, and gave the intruder root access. This could happen only on Ubuntu Phones; users of Ubuntu on the desktop, server, cloud and snappy Ubuntu Core devices are not affected", says Canonical.

The Ubuntu-maker further says, "Canonical engineers started investigating and taking preventative actions shortly after. Specifically, a root cause analysis was started to understand the exploit, and by 2015 Oct 15 00:50 UTC uploads and downloads from the store were temporarily disabled while the team addressed the issue. A fix was issued for the core issue was available by 2015 Oct 15 04:23 UTC, all the apps in the store have been scanned to ensure that no other apps exploited the same security hole. The store has been re-enabled. Additionally, a full update is being prepared for all Ubuntu Phone users to address the underlying issue".

Luckily, there are not many people actually using Ubuntu Phones. Hilariously, a total of 15 people downloaded the offending application. No, that is not a typo; 15 people. Because the number is so small, Canonical has reached out to all of these people individually, and had them uninstall.

Canonical is currently working on an update to patch the exploit, but more importantly, the company wants to be sure such a thing is caught before reaching the Ubuntu App Store in the future. If users cannot trust the content in the app store, how can they trust the Ubuntu Phone experience?

Do you use an Ubuntu Phone? Does this bother you? Tell me in the comments.